Notarising Plugins

Well I’m looking for help on how to notarize plugins.

What did/tried so far. I set hardend runtime in Projucer and Devoloper ID for signing. I archived everything in XCode but if I go to organizer and press “Distribute content” it only offers me “Build product” and “Archive”.
I was wondering if it is because these are plugins and no apps so I tried it with the standalone-app. And for this notarization works fine, so seems that the notarization process is different for plugins.

I also wanted to try the manual way with terminal, but there I get an Error which says it “altool” is an unknown command.

Also I’m confused do I have to notarize the plugins themself before making an installer or is it enough to just notarize the installer? I was told you would have to notarize them before building an installer, but as I understood the documentation of Apple packing them in an installer for notarization would be fine and it would notarize both the plugins and the installer.

What seems to work for me is this:

• code-sign non-AAX plugins (with hardened run-time and timestamp)
• use wraptool to sign AAX plugins (with option to use hardened run-time and timestamp)
• use productsign to sign the installer (I use Packages to make my installer)
• notarize the installer

If altool can’t be found, maybe you need to use “xcrun altool” instead?

I don’t have an AAX-version. That’s something for another time.

Could you maybe explain the process of signing? Or do you know any good tutorial for that?
If I get it right I have to make an archive in XCode, then build the plugins and pack them in to a .zip and upload the .zip for notarization, right?

But from that point on where I zipped the plugins I have no idea how to continue^^.

What works for me (and I’m sure the build step below can be improved/automated, but I don’t mind doing it this way, for now) is this:

• in Xcode, I select “MyProduct - All” as build target and do “Build for - Profiling” (this builds the Release versions of my plugins; you may need to double-check that the flag “Build active architecture only” is set to “No”, but it should by default I think)
• then I do this on the command line to sign and then verify (here for the AU version, but you need to do this for VST, VST3, … too):

codesign --sign "Developer ID Application: MyCompany" -f -o runtime --timestamp -v "MyProduct.component"
codesign --verify -v "MyProduct.component"

• at this point, I have code-signed versions of my plugin, and I now run the Packages application (see: WhiteBox - Packages ) to package up everything into a .pkg file named “MyProductInstallerUnsigned.pkg”

packagesbuild -v "MyProductInstaller.pkgproj"

• I then sign the installer .pkg with this:

productsign --sign "Developer ID Installer: MyCompany" "MyProductInstallerUnsigned.pkg" "MyProductInstaller.pkg"
rm "MyProductInstallerUnsigned.pkg"

• then I notarize (and staple) the installer package with this script (it’s a slightly modified version of a script someone else here on the forum pointed to: GitHub - rednoah/notarize-app: Linear notarize and staple for build tools )
  NotarizeApp.sh.txt (3.0 KB)
  (note: forum doesn’t let me upload .sh files, so you’ll need to remove the .txt extension and make the script executable again)

NotarizeApp.sh 'MyCompany' 'me@mycompany.com' 'mypassword' 'com.mycompany.MyProductInstaller.pkg' "MyProductInstaller.pkg"

• I then also do a final assessment with spctl:

spctl --assess -vvv --type install "MyProductInstaller.pkg"

Also for me it took quite some reading up around the web + good help from some friendly forum people here to find out about all the various steps to get here, so I hope this helps…

Disclaimer: there might be typos, and you’ll need to adjust product name, company and probably some paths in the commands above…

So I’m now at that step where I sign the installer. Till now I only signed in XCode with autosign, so sorry if this is a stupid question.

But what do I put in for “Developer ID Application: MyCompany” Just replacing MyCompany dosen’t seem to work.

OK. First: just saying “it doesn’t work” does not help anyone to understand what’s going wrong for you.
You should at least provide the output that indicates that it’s “not working”, if you want someone here to help you further… This is a general thing we all need to learn: people can’t help you if you don’t show the info about how it’s not working…

That being said:

You are talking about signing the installer now.
Then you say you replaced MyCompany in “Developer ID Application: MyCompany”.
Also for me, that won’t work, because the line I posted in my previous help shows this:
“Developer ID Installer: MyCompany”
Note the difference?
There are 2 certificates in play here: one for code signing and one for singing my installer.
You can create certificates when you log in to your Apple developer account.
I hope this helps you on your way a bit further.

Edit: Just for all clarity, this is what I do for distributing a plugin outside the Mac App Store.

Ok sry for not giving enough information, however your answer was never the less what I needed to know ^^, so thanks for that.

But now I’m stuck at the Notarize.sh script if I try to run it I get following Error

ERROR: submitting app for notarization failed! See log below:
xcrun: error: invalid active developer path (/Library/Developer/CommandLineTools), missing xcrun at: /Library/Developer/CommandLineTools/usr/bin/xcrun

I inserted the following details
‘MyCompany’ = Team-ID
‘me@mycompany.com’ = Mail of my Apple ID
‘mypassword’ = App specific password
‘com.mycompany.MyProductInstaller.pkg’ = com.d1rtyduck.Name of installer
“MyProductInstaller.pkg” = Name of Installer

OK, good, almost there!
A quick Google search with your error showed me this:

(you probably don’t have the command-line tools installed?)

Now it finally worked. Thanks a lot for your help.

One thing just in case anyone else is having the same problem and following this:
My first notarization request was denied, reason for this was that the plugins where signed wrong, I was building the plugins with auto-sign in xCode so I skipped the signing process KoenTanghe described. I then did everything like he described with manual (re)signing and it worked and the notarization was excepted by Apple.

2023 update: altool has been deprecated by Apple and replaced by notarytool. It seems the script provided by @KoenTanghe is no longer needed as notarytool does the job for you. Here’s what worked for me yesterday:

Code signing

• Log in to Apple Developer account and create two new certificates: “Developer ID Certificate” and “Developer ID Installer”. Download the .cer files and open them, adding them to the System (rather than iCloud) keychain.
• sign your plugin binaries (.vst3, .Component etc) as described by @KoenTanghe:

codesign --sign "Developer ID Application: MyCompanyName" -f -o runtime --timestamp -v "path/to/binary"

The only things that need changing in the above command are “MyCompanyName” and “path/to/binary”. Note that if you’re a solo dev your Apple Developer company name might just be your name (mine is C Baker). Check your apple developer account page.

• Build your installer using the Whitebox - Packages app, selecting your now code-signed binaries.
• Sign your installer:

productsign --sign "Developer ID Installer: MyCompanyName" "path/to/unsigned/installer.pkg" "path/to/newly/signed/installer.pkg"

Similarly, only change “MyCompanyName” and the two paths. Note the use of productsign instead of codesign and “Installer” instead of “Application”.

• Check the signing was successful:

codesign -vvv --deep --strict "path/to/binary"
pkgutil --check-signature "path/to/installer"

These should return “satisfies its Designated Requirement” and “signed by a developer certificate issued by Apple for distribution, Signed with a trusted timestamp” respectively.

Notarize your signed installer (and the signed binaries it contains)

• Log in to https://appleid.apple.com and create a new “Application specific password” for the app “notarytool”.
• Store the application specific password in the terminal using xcrun notarytool store-credentials. When prompted, enter a name for the stored credentials profile (I used “NOTARYTOOL_PASSWORD”, then leave the private ket field blank, which will cause the program to prompt you for your Apple ID, then your app specific password, and then your Apple Developer Team ID (which can be found on your apple developer account page, and is a seemingly random alphanumeric string).
• Notarize the installer:

xcrun notarytool submit "path/to/signed/installer.pkg" --keychain-profile NOTARYTOOL_PASSWORD --wait 

Replace NOTARYTOOL_PASSWORD with the name you chose to store your app specific password in the keychain with xcrun notarytool store-credentials above. Wait for the package to upload and processing to complete. You should eventually be told that the your installer has been accepted.

• Staple the notarisation to the installer:

xcrun stapler staple "path/to/signed/installer.pkg"

Is anyone else having problems getting notarytool to work since yesterday?

Edit: Never-mind, looks like “–options runtime” was needed for an .app which was added to the pkg being notarized, where it apparently wasn’t required for VST3/AU. Not sure why they are treated differently.